Security in PHP example from a Well House Consultants training course
More on Security in PHP [link]

This example is described in the following article(s): • Injection Attacks - PHP, SQL, HTML, Javascript - and how to neutralise them - [link]

Source code: inject.php Module: H117

<?php

/* This is a simple example that's designed to show what an HTML injection, a Javascript injectionand an SQL injection are. I have published the code here with the lines that add protection againstattacks NOT commented out so that this code in its current form in safe. Please be very careful ifyou delete those lines ... */

# HTML Injection attack (using characters like < and & and ") :# SOLUTION will be to use htmlspcialchars as in following line:# -------------------------------------------$report = htmlspecialchars($report);# -------------------------------------------# (Delete / comment out that line above if you want to try an injection)

# nasty thing to try:

# <h1># shout the rest of the page!

# {some Javascript}# sends JS as part of the echo; browser then thinks# it's clean because it's code delivered from the server# this is known as a Javascript injection attack# Cure is htmlspecialchars (again!)

# SQL injection attack (using characters such as ' ):# SOLUTION will be to add_slashes as in following line:# -------------------------------------------$lookfor = mysql_real_escape_string($lookfor);# -------------------------------------------# (Delete / comment out that line above if you want to try an injection)

This is a sample program, class demonstration or answer from a
training course. It's main purpose
is to provide an after-course service to customers who have attended our
publicprivate or
on site courses, but the examples are made
generally available under conditions described below.

Past attendees on our training courses are welcome to use individual
examples in the course of their programming, but must check
the examples they use to ensure that they are suitable for their
job. Remember that some of our examples show you how not to do
things - check in your notes. Well House Consultants take no responsibility
for the suitability of these example programs to customer's needs.

This program is copyright Well House Consultants Ltd. You are
forbidden from using it for running your own training courses
without our prior written permission. See our
page on courseware provision for more details.

Any of our images within this code may NOT be reused on a public URL without our
prior permission. For Bona Fide personal use, we will often grant you permission provided
that you provide a link back. Commercial use on a website will incur a license fee for
each image used - details on request.